Decoding and finding the minimum distance with Gröbner bases

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

Chapter 13 Decoding and finding the minimum distance with Gr¨ obner bases: history and new insights Stanislav Bulygin and Ruud Pellikaan [email protected], Department of Mathematics, University of Kaiserslautern, P.O. Box 3049, 67653 Kaiserslautern, Germany [email protected], Department of Mathematics and Computing Science, Eindhoven University of Technology, P.O. Box 513, NL-5600 MB, Eindhoven, The Netherlands In Series on Coding Theory and Cryptology vol. 7 Selected Topics in Information and Coding Theory I. Woungang, S. Misra, S.C. Misra (Eds.) pp. 585–622, World Scientific, 2010. In this chapter we discuss decoding techniques and finding the minimum distance of linear codes with the use of Gr¨ obner bases. First we give a historical overview of decoding cyclic codes via solving systems of polynomial equations over finite fields. In particular we mention papers of Cooper, Reed, Chen, Helleseth, Truong, Augot, Mora, Sala and others. Some structural theorems that use Gr¨ obner bases in this context are presented. We then shift to the general situation of arbitrary linear codes. We give an overview of approaches of Fitzgerald and Lax. Then we introduce our method of decoding linear codes that reduces this problem to solving a system of quadratic equations. We discuss open problems and future research possibilities.

13.1. Introduction The chapter is devoted to decoding and finding the minimum distance of arbitrary linear codes with the use of Gr¨ obner bases. In recent years a lot of attention was paid to this question for cyclic codes, which form a particular subclass of linear codes. We give a survey on decoding cyclic codes with Gr¨obner bases and consider two approaches that exist for arbitrary linear codes. We also present a new method based on reducing the problems of decoding and finding the minimum distance to solving a system of quadratic equations. We give a very brief introduction to Gr¨ obner bases theory. Introduction material can be taken for instance from [1, 2].

1

handbook

May 3, 2013

15:21

2

World Scientific Review Volume - 9.75in x 6.5in

S. Bulygin and R. Pellikaan

Quite a lot of methods exist for decoding cyclic codes and the literature on this topic is vast. We just mention [3–7]. But all these methods do not correct up to the true error-correcting capacity. The theory of Gr¨obner bases is used to remedy this problem. These methods are roughly divided into the following categories: • Newton identities method [8–14] • Power sums method or Cooper’s philosophy [14–19]. The term ”Cooper’s philosophy” first was used during the talk [20]. In Sec. 13.2 necessary background on Gr¨ obner bases is given, as well as the notation we are going to use throughout the chapter. In Sec. 13.3 we give an overview of the methods based on power sums and Newton identities together with examples. Section 13.4 is devoted to the case of arbitrary linear codes. Namely, we look at the method of Fitzgerald and Lax, and the method based on solving a quadratic system of equations. We should mention that there exist other Gr¨obner bases-based methods for arbitrary linear codes, e.g. generalizations of the Cooper’s philosophy [21, 22], applications of Pad´e approximation [23, 24], FGLM-like techniques [25, 26], key equation [27]. These methods are out of scope of this chapter. We end the chapter with the thoughts for practitioners and directions for further research, as well as conclusions, terminology list and the list of sample questions and answers to the material presented in the chapter. We made an extensive bibliography, so that the reader is able to look at numerous sources that exist in the area. 13.2. Background 13.2.1. Gr¨ obner bases in polynomial system solving The theory of Gr¨ obner basis is about solving systems of polynomial equations in several variables and can be viewed as a common generalization of Gaussian elimination in linear algebra that deals with linear systems of equations in several variables and the Euclidean Algorithm that is about polynomial equations of arbitrary degree in one variable. The polynomial equations are linearized by treating the monomials as new variables. In this way the number of variables grows exponentially in the degree of the polynomials. The complexity of computing a Gr¨obner basis is doubly exponential in general, and exponential in our case of a finite set of solutions. In this subsection we give a brief overview of monomial orders, Gr¨obner bases and their use in polynomial system solving. This subsection is only intended to refresh these notions; for a thorough exposition of the material the reader can use e.g [1, 28]. Let F be a field and let F[X1 , . . . , Xn ] = F[X] be the polynomial ring in n variables over F. In commutative algebra objects like polynomials, ideals, quotients are intensively studied. If we want to do computations with these objects we must somehow impose an order on them, so that we know which way a computation will go. Let M on(X) be the set of all monomials in the variables X = (X1 , . . . , Xn ).

handbook

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

Decoding and finding the minimum distancewith Gr¨ obner bases: history and new insights

handbook

3

Definition 13.1. A monomial order on F[X] is any relation > on M on(X) such that (1) > is a total order on M on(X). (2) > is multiplicative, i.e. X α > X β implies X α · X γ > X β · X γ for all vectors γ with non-negative integer entries; here X α = X1α1 · · · · · Xnαn . (3) > is a well-order, i.e. every non-empty subset of M on(X) has a minimal element. Example 13.2. Here are some orders that will be used in this chapter. • Lexicographic order induced by X1 > · · · > Xn : X α >lp X β iff there exists an s such that α1 = β1 , . . . , αs−1 = βs−1 , αs > βs . • Degree reverse lexicographic order induced by X1 > · · · > Xn : X α >dp X β iff |α| := α1 + · · · + αn > β1 + · · · + βn =: |β| or if |α| = |β| and there exists an s such that αn = βn , . . . , αn−s+1 = βn−s+1 , αn−s < βn−s . • Block order or product order. Let X and Y be two ordered sets of variables, >1 a monomial order on F[X] and >2 a monomial order on F[Y ]. The block order on F[X, Y ] is the following: X α1 Y β1 > X α2 Y β2 iff X α1 >1 X α2 or if X α1 =1 X α2 and Y β1 >2 Y β2 . P Definition 13.3. Let > be a monomial order on F[X]. Let f = α cα X α be a non-zero polynomial from F[X]. Let α0 be such that cα0 6= 0 and X α0 > X α for all α with cα 6= 0. Then lc(f ) := cα0 is called the leading coefficient of f , lm(f ) := X α0 is called the leading monomial of f , lt(f ) := cα0 X α0 is called the leading term of f. Having these notions we are ready to define the notion of a Gr¨obner basis. Definition 13.4. Let I be an ideal in F[X]. The leading ideal of I with respect to > is defined as L> (I) := hlt(f )|f ∈ I, f 6= 0i. L> (I) is sometimes abbreviated by L(I). A finite subset G = {g1 , . . . , gm } of I is called a Gr¨ obner basis for I with respect to > if L> (I) = hlt(g1 ), . . . , lt(gm )i. Example 13.5. Consider two polynomials f = X 3 , g = Y 4 − X 2 Y from F[X, Y ], where F is any field. We claim that f and g constitute a Gr¨obner basis of an ideal I = hf, gi with respect to the degree reverse lexicographic order >dp with X > Y . For this we need to show that L(I) = hlt(f ), lt(g)i. We have lt(f ) = X 3 and lt(g) = Y 4 . Thus we have to show that lt(h) is divisible either by X 3 or by Y 4 , for any h ∈ I. A polynomial h can be written as h = af + bg = aX 3 + b(Y 4 − X 2 Y ). If deg(a) > 1 + deg(b), then lm(h) = lm(a)X 3 . If deg(a) < 1 + deg(b), then lm(h) is divisible by Y 4 . If deg(a) = 1 + deg(b) and lm(a)X 3 6= lm(b)Y 4 , then lm(h) = lm(a)X 3 . If deg(a) = 1 + deg(b) and lm(a)X 3 = lm(b)Y 4 , then lm(h) is divisible by X 3 .

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

4

S. Bulygin and R. Pellikaan

Every ideal has a Gr¨ obner basis. By doing some additional operations on the elements of a Gr¨ obner basis, one can construct a reduced Gr¨obner basis. For the definition we refer to the literature. The reduced Gr¨obner basis of an ideal with respect to a given monomial order is unique. There are several algorithms for computing Gr¨obner bases. Historically the first is Buchberger’s algorithm [29] and its numerous improvements and optimizations implemented in different computer algebra systems like for example SINGULAR [30], MAGMA [31], CoCoA [32]. Also there are algorithms F4 and F5 [33, 34]. The algorithm F4 is implemented e.g. in MAGMA and FGb [35]. For solving systems of polynomial equations with the use of Gr¨obner bases we need the so-called elimination orders. Definition 13.6. Let S be some subset of variables in X. A monomial order > on F[X] is called an elimination order with respect to S if for all f ∈ F[X] from the fact that lm(f ) ∈ F[X \ S] follows that f ∈ F[X \ S]. For example, let > be the block order (>1 , >2 ) on F[S, T ] (S ⊂ X and T = X \ S), where >1 is defined on F[S] and >2 is defined on F[T ], is an elimination order with respect to S. In particular, lexicographic order is an elimination order with respect to any subset S of X. Due to this property of the lexicographic order we have the following theorem that can be obtained from the Elimination Theorem, p.114 and the theorem about finiteness, p.232, [1]; also p.83 [28]. Theorem 13.7. Let f1 (X) = · · · = fm (X) = 0 be a system of polynomial equations defined over F[X] with X = (X1 , . . . , Xn ), such that it has finitely many solutions ¯ n , where F ¯ is the algebraic closure of F. Let I = hf1 , . . . , fm i be an ideal defined in F by the polynomials in the system and let G be a Gr¨ obner basis for I with respect to >lp . Then there are elements g1 , . . . , gn ∈ G such that  gn ∈ F[Xn ], lt(gn ) = cn Xnmn ,   mn−1  gn−1 ∈ F[Xn−1 , Xn ], lt(gn−1 ) = cn−1 Xn−1 ,  . . .   g1 ∈ F[X1 , . . . , Xn ], lt(g1 ) = c1 X1m1 . It is clear how to solve the system I now. After computing G, first solve a univariate (n) (n) (n) equation gn (Xn ) = 0. Let a1 , . . . , aln be the roots. For every ai then solve (n)

gn−1 (Xn−1 , ai ) = 0 to find possible values for Xn−1 . Repeat this process until all the coordinates of all the solutions are found. Since the number of solutions is finite it is always possible. Remark 13.8. Usually from the practical point of view finding a Gr¨obner basis with respect to an elimination order is harder than with respect to some degreerefining order, like the degree reverse lexicographic order. Therefore, a conversion technique like FGLM [36] comes in hand here. It enables one to convert a basis

handbook

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

Decoding and finding the minimum distancewith Gr¨ obner bases: history and new insights

handbook

5

with respect to one order, for instance some degree-refining order, to another one, such as the lexicographic order. For solving, we actually need an elimination order, but sometimes it is possible to obtain a result with a degree order. More on that in Sec. 13.4.2, Theorem 13.34. 13.2.2. Notation Let C be a linear code over the field Fq with q elements of length of n, dimension k and minimum distance d. The parameters of C are denoted by [n, k, d] and its redundancy by r = n−k. The (true) error-correcting capacity b(d−1)/2c of the code is denoted by e. The code C can be constructed via its generator matrix G, which is any matrix composed of a basis of vectors in C. Alternatively, one can see C as a null-space of a parity-check matrix H, so c ∈ C iff HcT = 0. The code C is cyclic, if for every codeword c = (c0 , . . . , cn−1 ) in C its cyclic shift (cn−1 , c0 , . . . , cn−2 ) is again a codeword in C. When working with cyclic codes, vectors are usually Pn−1 presented as polynomials. So c is represented by the polynomial c(x) = i=0 ci xi with xn = 1, more precisely c(x) is an element of the factor ring Fq [x]/hxn − 1i. Cyclic codes over Fq of length n correspond one-to-one to ideals in this factor ring. We assume for cyclic codes that (q, n) = 1. Let F = Fqm be the splitting field of X n − 1 over Fq . Then F has a primitive n-th root of unity which will be denoted by a. A cyclic code is uniquely given by a defining set SC which is a subset of Zn such that c(x) ∈ C if c(ai ) = 0 for all i ∈ SC . The complete defining set of C is the set of all i ∈ Zn such that c(ai ) = 0 for all c(x) ∈ C. If c(ai ) = 0, then c(aqi ) = (c(ai ))q = 0. Hence a defining set is complete if and only it is invariant under multiplication by q. A cyclotomic set of a number a ∈ Zn is a subset Cl(a) := {aq i mod n|i ∈ N}. A defining set is complete iff it is a disjoint union of some cyclotomic sets. The size of the complete defining set is equal to the redundancy r = n − k. 13.3. Decoding and finding minimum distance of cyclic codes 13.3.1. Cooper’s philosophy and its development In this subsection we give an overview of the so-called Cooper’s philosophy or the power sums method (see Sec. 13.1). The idea here is basically to write parity check equations with unknowns for error positions and error values and then try to solve with respect to these unknowns by adding some natural restrictions on them. If i is in the defining set of C, then (1, ai , . . . , a(n−1)i )cT = c0 + c1 ai + · · · + cn−1 a(n−1)i = c(ai ) = 0.

May 3, 2013

15:21

6

World Scientific Review Volume - 9.75in x 6.5in

handbook

S. Bulygin and R. Pellikaan

Hence (1, ai , . . . , a(n−1)i ) is a parity check of C. Let {i1 , . . . , ir } be a defining set of C. Then a parity check matrix H of C can be represented as a matrix with entries in F:   i1 2i1 1 a a . . . a(n−1)i1  1 ai2 a2i2 . . . a(n−1)i2    H =. . . . . .. . . . .  . . . . . 1 air a2ir . . . a(n−1)ir Let c, r and e be the transmitted codeword, the received word and the error vector, respectively. Then r = c + e. Denote the corresponding polynomials by y(x), c(x) and e(x), respectively. If we apply the parity check matrix to r, we obtain sT := HrT = H(cT + eT ) = HcT + HeT = HeT , since HcT = 0, where s is the so-called syndrome vector. Define si = y(ai ) for all i = 1, . . . , n. Then si = e(ai ) for all i in the complete defining set, and these si are called the known syndromes . The remaining si are called the unknown syndromes . We have that the vector s above has entries s = (si1 , . . . , sir ). Let t be the number of errors that occurred while transmitting c over a noisy channel. If the error vector is of weight t, then it is of the form e = (0, . . . , 0, ej1 , 0, . . . , 0, ejl , 0, . . . , 0, ejt , 0, . . . , 0), more precisely there are t indices jl with 1 ≤ j1 < · · · < jt ≤ n such that ejl 6= 0 for all l = 1, . . . , t and ej = 0 for all j not in {j1 , . . . , jt }. We obtain sim = y(aim ) = e(aim ) =

t X

ejl (aim )jl , 1 ≤ m ≤ r.

(13.1)

l=1

The aj1 , . . . , ajt but also the j1 , . . . , jt are called the error locations, and the ej1 , . . . , ejt are called the error values. Define zl = ajl and yl = ejl . Then z1 , . . . , zt are the error locations and y1 , . . . , yt are the error values and the syndromes in Eq. (13.1) become generalized power sum functions sim =

t X

yl zlim , 1 ≤ m ≤ r.

(13.2)

l=1

In the binary case the error values are yi = 1, and the syndromes are the ordinary power sums. Now we give a description of Cooper’s philosophy [18]. As the receiver does not know how many errors occurred, the upper bound t is replaced by the error-correcting capacity e and some zl ’s are allowed to be zero, while assuming that the number of errors is at most e. The following variables are introduced: X1 , . . . , Xr , Z1 , . . . , Ze and Y1 , . . . , Ye , where Xj stands for the syndrome sj , 1 ≤ j ≤ r; Zl stands for the error location zl for 1 ≤ l ≤ t, and 0 for t < l ≤ e; and finally Yl stands for the error

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

handbook

Decoding and finding the minimum distancewith Gr¨ obner bases: history and new insights

7

value yl for 1 ≤ l ≤ t, and any element of Fq for t < l ≤ e. The syndrome equations Eq. (13.1) are rewritten in terms of these variables as power sums: fu :=

e X

Yl Zliu − Xu = 0, 1 ≤ u ≤ r.

l=1

We also add some other equations in order to specify the range of values that can be achieved by our variables, namely: m

j := Xjq − Xj = 0, 1 ≤ j ≤ r, since sj ∈ F; ηi := Zin+1 − Zi = 0, 1 ≤ i ≤ e, since aji are either n-th roots of unity or zero; and λi := Yiq−1 − 1 = 0, 1 ≤ i ≤ e, since yl ∈ Fq \ {0}. We obtain the following set of polynomials in the variables X = (X1 , . . . , Xr ), Z = (Z1 , . . . , Ze ) and Y = (Y1 , . . . , Ye ): FC = {fj , j , ηi , λi : 1 ≤ j ≤ r, 1 ≤ i ≤ e} ⊂ Fq [X, Z, Y ].

(13.3)

The zero-dimensional ideal IC generated by FC is called the CRHT-syndrome ideal associated to the code C, and the variety V (FC ) defined by FC is called the CRHTsyndrome variety , after Chen, Reed, Helleseth and Truong, see [14, 16, 17]. We have V (FC ) = V (IC ). Initially decoding of cyclic codes was essentially brought to finding the reduced Gr¨ obner basis of the CRHT-ideal . It turned out that adding more polynomials to this ideal gives better results [19]. By adding polynomials χl,m := Zl Zm p(n, Zl , Zm ) = 0, 1 ≤ l < m ≤ e to FC , where p(n, X, Y ) =

n−1 X Xn − Y n = X i Y n−1−i , X −Y i=0

(13.4)

we ensure that for all l and m either Zl and Zm are distinct or at least one of them is zero. The resulting set of polynomials: FC0 := {fj , j , ηi , λi , χl,m : 1 ≤ j ≤ r, 1 ≤ i ≤ e, 1 ≤ l < m ≤ e} ⊂ Fq [X, Z, Y ]. (13.5) The ideal generated by FC0 is denoted by IC0 . By investigating the structure of IC0 and its reduced Gr¨ obner basis with respect to lexicographic order induced by X1 < · · · < Xr < Ze < · · · < Z1 < Y1 < · · · < Ye , the following result is proved, see [19][Theorem 6.8, 6.9].

May 3, 2013

15:21

8

World Scientific Review Volume - 9.75in x 6.5in

S. Bulygin and R. Pellikaan

Theorem 13.9. Every cyclic code C possesses a general error-locator polynomial LC . That means that there exists a unique polynomial LC from Fq [X1 , . . . , Xr , Z] that satisfies the following two properties: • LC = Z e + at−1 Z e−1 + · · · + a0 with aj ∈ Fq [X1 , . . . , Xr ], 0 ≤ j ≤ e − 1; • given a syndrome s = (s1 , . . . , sr ) ∈ Fr corresponding to an error of weight t ≤ e and error locations {k1 , . . . , kt }, if we evaluate the Xi = si for all 1 ≤ i ≤ r, then the roots of LC (s, Z) are exactly ak1 , . . . , akt and 0 of multiplicity e − t, in other words t Y LC (s, Z) = Z e−t (Z − aki ) i=1

Such an error locator polynomial actually is an element of the reduced Gr¨obner basis of IC0 . Having this polynomial, decoding of the cyclic code C reduces to univariate factorization. The main effort here is finding the reduced Gr¨obner basis of IC0 . In general this is infeasible already for moderate size codes, but for small codes, though, it is possible to apply this technique successfully [37]. Example 13.10. As an example we consider finding the general error locator polynomial for a binary cyclic BCH code C with parameters [15,7,5] that corrects 2 errors. This code has {1, 3} as a defining set. So here q = 2, m = 4, n = 15. The field F16 is the splitting field of X 15 − 1 over F2 . During this example we show how the idea of the Cooper’s philosophy is applied. For rigorous justification of the steps below, see [14, 16, 17, 19, 37]. In the above description we have to write equations for all syndromes that correspond to elements in the complete defining set. Note that we may write the equations only for the element from the defining set {1, 3} as all the others are just consequences of those. Following the description above we write generators FC0 of the ideal IC0 in the ring F16 [X1 , X2 , Z1 , Z2 ]:  Z1 + Z2 − X1 , Z13 + Z23 − X2 ,    16 X1 − X1 , X216 − X2 , 16  Z1 − Z1 , Z216 − Z2 ,   Z1 Z2 p(15, Z1 , Z2 ) We suppress the equations λ1 and λ2 as error values are over F2 . In order to find the general error locator polynomial we compute the reduced Gr¨obner basis G of the ideal IC0 with respect to the lexicographical order induced by X1 < X2 < Z2 < Z1 . The elements of G are:  16   X1 + X1 ,   15   X2 X1 + X2 ,   8 X2 + X24 X112 + X22 X13 + X2 X16 ,  Z2 X115 + Z2 ,     Z22 + Z2 X1 + X2 X114 + X12 ,    Z1 + Z2 + X1

handbook

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

Decoding and finding the minimum distancewith Gr¨ obner bases: history and new insights

handbook

9

According to Theorem 6.8 (cf. [19]) the general error correcting polynomial LC is then a unique element of G of degree 2 with respect to Z2 . So LC ∈ F2 [X1 , X2 , Z] is LC (X1 , X2 , Z) = Z 2 + ZX1 + X2 X114 + X12 . Let us see how decoding using LC works. Let r = (0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1) be a received word with at most 2 errors. In the field F16 with a primitive element a, such that a4 + a + 1 = 0, a is also a 15-th root of unity. Then the syndromes are s1 = a2 , s3 = a. Plug them into LC in place of X1 and X2 and obtain: LC (Z) = Z 2 + a2 Z + a(a2 )14 + (a2 )2 = Z 2 + a2 Z + a9 . Factorizing yields LC = (Z + a3 )(Z + a6 ). According to Theorem 13.9, exponents 3 and 6 show exactly the error locations minus 1. So that errors occurred on positions 4 and 7. Consider another example. Let r = (0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0, 0) be a received word with at most 2 errors. The syndromes are now s1 = a8 , s3 = a9 . Plug them into LC in place of X1 and X2 and obtain: LC (Z) = Z 2 + a8 Z + a9 (a8 )14 + (a8 )2 = Z 2 + a8 Z. Factorizing yields LC = Z(Z + a8 ). Thus 1 error occurred according to Theorem 13.9, namely on position 8+1=9. This method can be adapted to correct erasures [19], and to find the minimum distance of a code [38]. The basic approach is as follows. We are working again with the cyclic code C with parameters [n, k, d] over Fq . Let w ≤ d. Denote by JC (w) the set of equations Eq. (13.5) for t = w and variables Xi assigned to zero and the equations Zin+1 − Zi = 0 replaced by Zin − 1 = 0. In the binary case we have the following result that can be deduced from Theorem 3.3 and Corollary 3.4 [38]: Theorem 13.11. Let C be a binary [n, k, d] cyclic code with a defining set SC = {i1 , . . . , ir }. Let 1 ≤ w ≤ n and let JC (w) denote the system:  i i1 1   Z1 + · · · + Zw = 0,     ...     Z iv + · · · + Z iv = 0,   1 w Z1n − 1 = 0,   .    ..    n  Zw −1=0    p(n, Zi , Zj ) = 0, 1 ≤ i < j ≤ w Then the number of solutions of JC (w) is equal to w! times the number of codewords of weight w. And for 1 ≤ w ≤ d: • either JC (w) has no solutions, which is equivalent to w < d,

May 3, 2013

15:21

10

World Scientific Review Volume - 9.75in x 6.5in

S. Bulygin and R. Pellikaan

• or JC (w) has some solutions, which is equivalent to w = d.

So, the method of finding the minimum distance is based on replacing syndrome variables by zeros and than searching for solutions of corresponding parametrized systems. In the previous theorem JC (w) is parametrized by w. We also mention the notion of accelerator polynomials. The idea is as follows. Since, when trying to find the minimum distance of a code we are only interested in a question whether the corresponding system JC (w) has solutions or not, we may add some polynomials AC (w) with the property that if we enlarge our system JC (w) with these polynomials and the system JC (w) had some solutions, then the new system AC (w) ∪ JC (w) also has some solutions. So not all solutions are lost. In [39] it is shown, how to choose such polynomials AC (w), so that solving the system AC (w) ∪ JC (w) takes less time, than solving JC (w). It is possible to adapt the method to finding codewords of certain weight, and thus the weight enumerator of a given code. Example 13.12. As an example application of Theorem 13.11 we show how to determine the minimum distance of a cyclic code C from Example 13.10. This binary cyclic code C has parameters [15,7] and has a defining set {1, 3}, so the assumptions of Theorem 13.11 are satisfied. We have to look at all systems JC (w) starting from w = 1, until we encounter a system, which has some solutions. The system JC (w) is   Z1 + · · · + Zw = 0,    3  = 0, Z13 + · · · + Zw     Z115 − 1 = 0, .   ..    15  Zw −1=0    p(15, Zi , Zj ) = 0, 1 ≤ i < j ≤ w For w = 1, . . . , 4 the reduced G¨ obner basis of JC (w) is {1}, so there are no solutions. For JC (5) the reduced Gr¨ obner basis with respect to the lexicographic order is  15 Z5 + 1,    3 9 12 6 6 12 9 3   Z4 + Z4 Z5 + Z4 Z5 + Z4 Z5 + Z5 , Z36 + Z34 Z4 Z5 + Z32 Z42 Z52 + Z3 Z44 Z5 + Z3 Z4 Z54 + Z46 + Z56 ,    g2 (Z2 , Z3 , Z4 , Z5 ),   Z1 + Z2 + Z3 + Z4 + Z5 .

handbook

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

Decoding and finding the minimum distancewith Gr¨ obner bases: history and new insights

handbook

11

Here g2 (Z2 , Z3 , Z4 , Z5 ) is equal to  2 Z2 + Z2 Z3 + Z2 Z4 + Z2 Z5 + Z35 Z410 Z52 + Z35 Z49 Z53 +      +Z35 Z48 Z54 + Z35 Z44 Z58 + Z35 Z43 Z59 + Z35 Z42 Z510 +     +Z34 Z411 Z52 + Z34 Z48 Z55 + Z34 Z45 Z58 + Z34 Z42 Z511 +    +Z33 Z410 Z54 + Z33 Z49 Z55 + Z33 Z48 Z56 + Z33 Z44 Z510 +  +Z33 Z43 Z511 + Z33 Z42 Z512 + Z33 Z514 + Z32 Z411 Z54 +     +Z32 Z48 Z57 + Z32 Z45 Z510 + Z32 Z42 Z513 + Z32 Z4 Z514 +     +Z32 + Z3 Z410 Z56 + Z3 Z49 Z57 + Z3 Z48 Z58 + Z3 Z44 Z512 +    +Z3 Z43 Z513 + Z3 Z4 + Z411 Z56 + Z48 Z59 + Z45 Z512 + Z43 Z514 + Z42 . Already the fact that the GB of JC (5) is not equal to 1 shows that there is a solution. Theorem 13.7 gives all solutions explicitly. We show how to obtain one solution here. Namely, we know already that a15 + 1 = 0, where a is a primitive element of F16 , so set Z5 = a and the first equation is satisfied. Substitute Z5 = a to the second equation, we have Z412 + a3 Z49 + a6 Z46 + a9 Z43 + a12 = 0. Factorizing yields that Z4 = 1 is one of the roots. Substitute Z5 = a, Z4 = 1 to the third equation. We have Z36 + aZ34 + a2 Z32 + Z3 + a13 = 0. Factorizing yields that Z3 = a2 is one of the roots. Substitute Z5 = a, Z4 = 1, Z3 = a2 to the third equation. We have Z22 + a10 Z2 + a7 = 0. Here Z2 = a9 is one of the roots. Finally, substitute Z5 = a, Z4 = 1, Z3 = a2 , Z2 = a9 to the last equation. We obtain that Z1 = a13 . Thus we have proved that the system JC (5) has a solution and thus the minimum distance of C is 5, which coincides with what we had in Example 13.10. Note that the BCH bound yields d(C) ≥ 5, so in fact it was necessary to consider only JC (5). Here it is possible to count the number of roots. Due to the equations Z115 − 1 = 0, . . . , Z515 − 1 = 0 and the fact that F16 is the splitting field of X 15 − 1 we have that the number of solutions is just the product of leading terms degrees of the elements in the Gr¨ obner basis above. This number is 15 · 12 · 6 · 2 · 1 = 2160. Dividing this number by 5! yields the number of minimum weight codewords: 18. We mention that the first use of Gr¨obner bases in finding minimum distance appears to be in [40]. 13.3.2. Newton identities based method The error-locator polynomial is defined by σ(Z) =

t Y (Z − zl ). l=1

If this product is expanded σ(Z) = Z t + σ1 Z t−1 + · · · + σt−1 Z + σt ,

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

12

handbook

S. Bulygin and R. Pellikaan

then the coefficients σi are the elementary symmetric functions in the error locations z1 , . . . , zt . X σi = (−1)i zj1 zj2 . . . zji , 1 ≤ i ≤ t, 1≤j1 S6 > S4 > · · · > S2 > σ1 > σ2 > σ3 > S7 > S5 > S1 . Unfortunately the computation is quite time consuming and the result is too huge to illustrate the idea. Rather, we do online decoding, i.e. compute syndromes S1 , S5 , S7 , plug the values into the system and then find σ’s. Let r = (0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1) be a received word with at most three errors. So the known syndromes we need are s1 = a5 , s5 = a8 and s7 = a26 . Substitute these values into the system above and compute the reduced Gr¨ obner basis of the system. The reduced Gr¨obner basis with respect to the degree reverse lexicographic order (here it is possible to go without

handbook

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

Decoding and finding the minimum distancewith Gr¨ obner bases: history and new insights

handbook

15

an elimination order, see Remark 13.8) restricted to the variables σ1 , σ2 , σ3 is  4  σ3 + a , σ + a5 ,  2 σ1 + a5 , Corresponding values for σ’s gives rise to the error locator polynomial: σ(Z) = Z 3 + a5 Z 2 + a5 Z + a4 . Factoring this polynomial yields three roots: a3 , a7 , a25 , which indicate error positions. Note also that we could have worked only with the equations for S1 , S5 , S7 , S3 , S11 , S15 , S31 , but the Gr¨obner basis computation is harder then: on our computer it took 8 times longer. Another way of finding the error locator polynomial σ(Z) in the binary case is described in [10]. In this case the error values are 1 and the Si , i ∈ SC are power sums of the error positions and therefore symmetric under all possible permutations of these positions. Hence Si is equal to a polynomial wi (σ1 , . . . , σt ). These wi ’s are known as Waring functions. By considering the ideal generated by the following polynomials Si − wi (σ1 , . . . , σt ), i ∈ SC , Augot et al. where able to prove the unicity theorem for the solution (σ1∗ , . . . , σt∗ ), when Si ’s are assigned the concrete values of syndromes. Here the authors prefer online decoding, rather than formal one, that is by specializing some variables Si to specific values before any Gr¨ obner bases computation. This approach demonstrates pretty good performance in practice, but it lacks some theoretical explanations of several tricks the authors used. Further treatment of this approach is in [46].

13.4. Decoding and finding minimum distance of arbitrary linear codes 13.4.1. Decoding affine variety codes The method proposed by Fitzgerald and Lax [47, 48] generalizes Cooper’s philosophy to arbitrary linear codes. In this approach the main notion is the affine variety code. Let I = hg1 , . . . , gm i ⊆ Fq [X1 , . . . , Xs ] be an ideal. Define Iq := I + hX1q − X1 , . . . , Xsq − Xs i. So Iq is a 0-dimensional ideal. Define also V (Iq ) =: {P1 , . . . , Pn }. The claim [48] is that every q-ary linear code C with parameters [n, k] can be seen as an affine variety code C(I, L), that is the image of a vector space L of the evaluation map  φ : R → Fnq f¯ 7→ (f (P1 ), . . . , f (Pn )),

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

16

S. Bulygin and R. Pellikaan

where R := Fq [U1 , . . . , Us ]/Iq , L is a vector subspace of R and f¯ the coset of f in Fq [U1 , . . . , Us ] modulo Iq . In order to obtain this description we do the following. Given a q-ary [n, k] code C with a generator matrix G = (gij ), we choose s, such that q s ≥ n, and construct s distinct points P1 , . . . , Ps in Fsq . Then there is an algorithm [49] that produces a Gr¨obner basis {g1 , . . . , gm } for an ideal I of polynomials from Fq [X1 , . . . , Xs ] that vanish at the points P1 , . . . , Ps . Then, denote by ξi ∈ Fq [X1 , . . . , Xs ] a polynomial that assumes the values 1 at Pi and 0 at all Pn other Pj . The linear combinations fi = i=1 gij ξj constitute the set L, so that gij = fi (Pj ). In this way we obtain that the code C is an image of the evaluation above, so C = C(I, L). In the same way by considering a parity check matrix instead of a generator matrix we have that the dual code is also an affine variety code. The method of decoding is analogous to the one of CRHT with the generalization that along with the polynomials of type Eq. (13.3) one needs to add polynomials (gl (Xk1 , . . . , Xks ))l=1,...,m;k=1,...,t for every error position. Namely, let C be a q-ary [n, k] linear code such that its dual is written as an affine variety code of the form C ⊥ = C(I, L), where   I = hg1 , . . . , gm i ⊆ Fq [X1 , . . . , Xs ] L = {f¯1 , . . . , f¯n−k }  V (Iq ) = {P1 , . . . , Ps } Let r = (r1 , . . . , rn ) be a received word with error vector e = c + (e1 , . . . , en ) with t errors and t ≤ e. Then the syndromes are computed by si =

n X j=1

rj fi (Pj ) =

n X

ej fi (Pj ) for i = 1, . . . , n − k.

j=1

Now consider the ring Fq [X11 , . . . , X1s , . . . , Xt1 , . . . , Xts , E1 , . . . , Et ], where (Xi1 , . . . , Xis ) correspond to the i-th error position and Ei to the i-th error value. Consider the ideal IC generated by  Pt  j=1 Ej fi (Xj1 , . . . , Xjs ) − si , 1 ≤ i ≤ n − k, g (X , . . . , Xjs ), 1 ≤ l ≤ m,  l q−1j1 Ek − 1 q Note that Xij − Xij ∈ IC for all 1 ≤ i ≤ t, 1 ≤ j ≤ s. The order < is defined as follows. It is the block order ( U1 as in Theorem 13.34. The ideal J(r) is generated by the entries of the vector AU T , where U = (U1 , . . . , U11 ). The matrix U has entries Uij , where Uij = Ui+j−1 for all i, j with 1 ≤ i + j ≤ 11. The ideal J(t, r) is generated by J(r) and J(t, U, V ), and the generators of J(2, U, V ) are listed by  V U   1 1     V1 U2     V1 U3    V1 U4      V1 U5 V1 U6    V1 U7     V1 U8     V1 U9      V U   1 10 V1 U11

+ V2 U2 + V2 U3 + V2 U4 + V2 U5 + V2 U6 + V2 U7 + V2 U8 + V2 U9 + V2 U10 + V2 U11 + V2 U11,2

− − − − − − − − − − −

U3 , U4 , U5 , U6 , U7 , U8 , U9 , U10 , U11 , U10,3 , U11,3 ,

where −U10,3 = a16 U1 + a22 U2 + a25 U3 + a22 U4 + a20 U5 + a25 U6 + a7 U7 + a18 U8 + a10 U9 + a3 U10 + a16 U11 , U11,2 = a3 U1 + a9 U2 + a12 U3 + a9 U4 + a7 U5 + a12 U6 + a20 U7 + a5 U8 + a23 U9 + a16 U10 + a3 U11 , −U11,3 = a19 U1 + a19 U2 + a7 U3 + a12 U4 + a5 U5 + a9 U6 + a9 U7 + a23 U8 + a4 U9 + a24 U10 + a25 U11 .

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

Decoding and finding the minimum distancewith Gr¨ obner bases: history and new insights

handbook

23

The reduced Gr¨ obner basis for the ideal J(2, r) is  U1 , U2 − 1, U3 + a9 , U4 − 1,    3 U5 + a , V2 + a9 , V1 + a4 , U6 + a16 ,  U7 + a, U8 + a3 , U9 + a22 , U10 − 1,   U11 + a. Let us check that this unique solution indeed gives rise to the error vector e. Indeed, from the above we obtain that the vector u(B, e) of unknown syndromes is (0, 1, −a9 , 1, −a3 ) = (0, 1, a22 , 1, a16 ). By Remark 13.19 we can then find e as eT = B −1 u(B, e) = (0, 1, 0, −1, 0, 0, 0, 0, 0, 0, 0)T . We also note that the corresponding system for t = 1 has the reduced Gr¨obner basis {1} and therefore it has no solutions. Example 13.36. Let us revise Example 13.15. So we are working again with the 3-error correcting binary cyclic code of length 31 with a defining set {1, 5, 7}. So now we have q = 2, n = 31, and t = 3. So m = 5 and q m = 32. Choose as matrix B a Vandermonde matrix with xi = ai−1 , where a is a primitive 31-th root of unity of F32 with a5 + a2 + 1 = 0. A parity check matrix of this code over F2 in the row echelon form H = (I15 |P ), where 

1 0  0  1   0  0  0  P = 0 1  1   0  0  0  1 1

1 1 0 1 1 0 0 0 1 0 1 0 0 1 0

0 1 1 0 1 1 0 0 0 1 0 1 0 0 1

1 0 1 0 0 1 1 0 1 1 1 0 1 1 1

1 1 0 0 0 0 1 1 1 0 1 1 0 0 0

0 1 1 0 0 0 0 1 1 1 0 1 1 0 0

0 0 1 1 0 0 0 0 1 1 1 0 1 1 0

0 0 0 1 1 0 0 0 0 1 1 1 0 1 1

1 0 0 1 1 1 0 0 1 1 1 1 1 1 0

0 1 0 0 1 1 1 0 0 1 1 1 1 1 1

1 0 1 1 0 1 1 1 1 1 1 1 1 0 0

0 1 0 1 1 0 1 1 1 1 1 1 1 1 0

0 0 1 0 1 1 0 1 1 1 1 1 1 1 1

1 0 0 0 0 1 1 0 0 0 1 1 1 0 0

0 1 0 0 0 0 1 1 0 0 0 1 1 1 0

 0 0  1  0   0  0  0  1 . 1  0   0  0  1  1 1

Let as in Example 13.15 r = (0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1)

May 3, 2013

15:21

24

World Scientific Review Volume - 9.75in x 6.5in

S. Bulygin and R. Pellikaan

be the received word with errors on positions 4,8,26. The corresponding system is  J(r),      U29 V1 + U30 V2 + U31 V3 + U1 , U30 V1 + U31 V2 + U1 V3 + U2 ,    U V + U1 V2 + U2 V3 + U3 ,   31 1 Ui−3 V1 + Ui−2 V2 + Ui−1 V3 + Ui . for 4 ≤ i ≤ 31 From this system we obtain a unique solution, which gives a way to find an error vector via multiplication of the vector of unknown syndromes by B −1 on the left. Note that from the way we compute syndrome in Eq. (13.1) and the way we have chosen the matrix B it follows that actually Ui = Si−1 , Vj = σt−j+1 for 1 ≤ i ≤ n and 1 ≤ j ≤ t, where Si and σj are the variables from Example 13.15. So we see that it is actually possible to decode without adding the field equations. This example also shows how we generalize the ideas from Sec. 13.3.2. Much more serious examples can be attacked by this approach. We only mention that decoding, e.g. 5-20 errors in a binary code of length 120 and dimension 10-30 is feasible. For more details, see [50]. Next we mention how the above technique can be adapted for finding minimum distance of a code. The following is more or less a special case of Theorem 13.33 on decoding up to half the minimum distance. Theorem 13.37. Let B be an MDS matrix with structure constants µij l and linear functions Uij . Let H be a parity check matrix of the code C such that H = AB. Let t be the smallest integer such that J(t, 0) has a solution (u, v) with u 6= 0. Then t is the minimum distance of C. Again we supply the statement with an example. Example 13.38. Let us find minimum distance of a cyclic [15, 7] binary code with a check matrix:   110100010000000 0 1 1 0 1 0 0 0 1 0 0 0 0 0 0   0 0 1 1 0 1 0 0 0 1 0 0 0 0 0     0 0 0 1 1 0 1 0 0 0 1 0 0 0 0 H= . 0 0 0 0 1 1 0 1 0 0 0 1 0 0 0   0 0 0 0 0 1 1 0 1 0 0 0 1 0 0   0 0 0 0 0 0 1 1 0 1 0 0 0 1 0 000000011010001 By computing the reduced Gr¨ obner basis of J(t, 0) for t = 1, . . . , 4 we see that it always consists of the elements U1 , . . . , U15 , so there is no solution (u, v) with u 6= 0. For t = 5 the reduced Gr¨obner basis (with respect to the degree reverse lexicographic order) is listed in Appendix. It can be seen that, e.g. (u, v) with u = (1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1) and v = (1, 1, 0, 1, 0) is a solution of the

handbook

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

Decoding and finding the minimum distancewith Gr¨ obner bases: history and new insights

handbook

25

system J(5, 0). So we obtained a desired solution, thus minimum distance is 5. It can also be seen that u corresponds to a codeword of weight 5, namely c = (1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 1). 13.5. Thoughts for practitioners From the practical point of view we can outline three major possible directions of further study for the method of quadratic system solving • Fast (polynomial time) decoding in the case when the dimension k and the number √ of errors t is small compared to the length n, e.g. k and t of order O( n), then it is possible to decode in time O(n3 ). • Try to adapt the method to cryptanalysis of coding-based cryptosystems that follow the ideas of McEliece and Niederreiter [52, 53]. • As the quadratic system we are working with has a quite specific reduced Gr¨obner basis, it might be possible to find some specialized algorithms that would find such a basis, and perform much faster. The last item applies also to the other methods based on Gr¨obner bases: to find an adapted algorithm that would solve a particular system faster, than a ”generic” one. 13.6. Directions for future research On the more theoretical side probably one of the most important questions is the question of estimating the complexity of algorithms presented in this chapter. There were some attempts to apply the theory of semi-regular sequences, but so far they were not successful. Definitely more research is needed here, as this question is one of the milestones in comprehending the Gr¨obner bases-based methods. Also the question of formal decoding is interesting for particular classes of codes like cyclic codes and some AG-codes. It would be interesting to prove the existence of sparse general error-locator polynomials in these cases. This would shed more light on the old problem of whether decoding cyclic codes is NP-hard. For the method of quadratic equations it is possible to prove the results like the ones presented here, but for the nearest codeword problem. So the question of list decoding should be studied here further. 13.7. Conclusions In this chapter we gave an overview of some of the existing methods for decoding and finding the minimum distance of linear codes and cyclic codes in particular. We tried to give an exposition in a manner as the material appeared historically with the following improvements. We concentrated more on giving examples that would

May 3, 2013

15:21

26

World Scientific Review Volume - 9.75in x 6.5in

S. Bulygin and R. Pellikaan

facilitate understanding of the methods, rather than giving some real-life comparisons, although such are also available by [50]. A SINGULAR library for generating different systems for decoding is available [54]. The original method based on solving quadratic system was presented. It turned out that the corresponding reduced Gr¨ obner basis for our system has a very simple form, which is not true for many other methods. We hope that more research in this area may reveal quite fast and robust algorithms that are able to correct up to error-correcting capacity.

Terminology • Gr¨ obner basis: A finite subset G = {g1 , . . . , gm } of an ideal I ⊆ F[X1 , . . . , Xn ] is called a Gr¨ obner basis for I with respect to a monomial order > if L> (I) = hlt(g1 ), . . . , lt(gm )i, where L> (I) is the leading ideal of I with respect to >; Definition 13.4. Pt • generalized power sum function: It is a sum of the form l=1 yl zlim . In our context we use it to compute the syndrome via error locations and error values in Eq. (13.2). • CRHT-ideal: It is an ideal constructed following Cooper’s philosophy and its variety contains the information needed for decoding a cyclic code. The generators of this ideal are given in Eq. (13.3). • general error-locator polynomial: A polynomial LC = Z e + at−1 Z e−1 + · · · + a0 with aj ∈ Fq [X1 , . . . , Xr ], 0 ≤ j ≤ e − 1. When the X-variables are assigned the syndromes, then the roots of LC (s, Z) give error positions; Theorem 13.9. • Newton identities: Equation (13.6) shows how syndromes are connected with the elementary symmetric functions. One can use known syndromes to find symmetric functions, and then the error positions via the error-locator polynomial, see below. Qt • error-locator polynomial: It is a polynomial σ(Z) = l=1 (Z − zl ) = Z t + σ1 Z t−1 + · · · + σt−1 Z + σt , where σ’s are elementary symmetric functions and z’s are the error positions. The knowledge of the symmetric functions yields the error positions as the roots of σ(Z). • formal and online decoding: The former term means that in a Gr¨obner basisbased method one needs to compute a Gr¨obner basis only once and then decode every time using this precomputed Gr¨obner basis. The latter term means that one performs the Gr¨ obner basis computation every time one wants to decode. Online decoding involves systems with less variables and thus is much easier to handle; on the other hand performing the Gr¨obner basis computation every time can be too time consuming. • affine variety code: C(I, L) is an image of a vector subspace L of the map φ : R → Fnq , f¯ 7→ (f (P1 ), . . . , f (Pn )), where R := Fq [U1 , . . . , Us ]/Iq and f ∈ L is any pre-image of f¯ under a canonical homomorphism, L is a vector subspace of R.

handbook

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

Decoding and finding the minimum distancewith Gr¨ obner bases: history and new insights

handbook

27

• unknown syndromes: Let b1 , . . . , bn be a basis of Fnq and let B be the n × n matrix with b1 , . . . , bn as rows. The (unknown) syndrome u(B, e) of a word e with respect to B is the column vector u(B, e) = BeT . It has entries ui (B, e) = bi · e for i = 1, . . . , n; Definition 13.18. • MDS basis/matrix: Let b1 , . . . , bn be a basis of Fnq . Let Bs be the s×n matrix with b1 , . . . , bs as rows, then B = Bn . We say that b1 , . . . , bn is an ordered MDS basis and B an MDS matrix if all the s × s submatrices of Bs have rank s for all s = 1, . . . , n. Let Cs be the code with Bs as parity check matrix; Definition 13.23.

Questions (1) In Example 13.5 we have seen that f = X 3 , g = Y 4 − X 2 Y from F[X, Y ] form a Gr¨ obner basis of an ideal I = hf, gi with respect to the degree reverse lexicographic order >dp . Do they form a Gr¨obner basis with respect to the lexicographic order >lp ? (2) For constructing a binary cyclic code of length 41 we need a primitive 41-th root of unity. What is the smallest field extension of F2 that has an element of order 41? (3) In Eq. (13.4) the polynomial p(n, X, Y ) = (X n − Y n )/(X − Y ) = Pn−1 i n−1−i is defined. Suppose that n ≥ 2 and (n, q) = 1. Show that x i=0 X Y and y are distinct if at least one of them is non-zero and p(n, x, y) = 0. (4) In Theorem 13.9 the general error-correcting polynomial is defined. Does its degree depend on the number of errors occurred? (5) In Example 13.12 can we leave out the polynomials Zi Zj p(15, Zi , Zj ) = 0, 1 ≤ i < j ≤ w? (6) Let Pi = (ai1 , . . . , ais ), 1 ≤ i ≤ n be n distinct points in Fsq (q s ≥ n). In Sec. 13.4.1 we needed functions ξi , 1 ≤ i ≤ n, such that ξi (Pi ) = 1, ξi (Pj ) = 0, j 6= i. Give a representation of ξi as a polynomial from Fq [X1 , . . . , Xs ]. (7) In Definition 13.23 we are talking about ordered MDS matrix. Is the order of b1 , . . . , bn really important for the MDS property to hold? (8) In Definition 13.25 we introduced a Vandermonde matrix B = B(x). Why is this matrix MDS? (9) Let C be an [n, k, d] code over Fq . Show that the code C 0 = CFqm has the same parameters [n, k, d] over Fqm . (10) For those who are familiar with the notion of a reduced Gr¨obner basis: Consider an ideal I ⊂ F37 [X, Y, Z]. It is known that a Gr¨obner basis of I with respect to the lexicographic order induced by X > Y > Z is X +16, Y +6, Z+1. What is the reduced Gr¨ obner basis of I with respect to the degree reverse lexicographic order?

May 3, 2013

15:21

28

World Scientific Review Volume - 9.75in x 6.5in

S. Bulygin and R. Pellikaan

Answers (1) No. We have lm(f ) = X 3 , lm(g) = X 2 Y . Consider h = Y ·f +X ·g = XY 4 ∈ I, but lm(h) = XY 4 is divisible neither by X 3 nor by X 2 Y . (2) F20 . In order to find it we need to find the smallest n such that 41|(2n − 1), then the extension is going to be F2n . In our case n = 20. (3) If x = y, then p(n, x, y) = p(n, x, x) = nxn−1 . Since we assumed n ≥ 2 and (n, q) = 1, it follows that x = y = 0. (4) No. The degree is always e, the error correcting capacity. If t < e errors occurred, then the specialized polynomial LC (s, Z) has the root zero with multiplicity e − t. (5) No. Since the system JC (2) : Z1 + Z2 , Z13 + Z23 , Z115 + 1, Z215 + 1, would have a Gr¨ obner basis Z215 + 1, Z1 + Z2 . Thus we obtain the solutions of the form (a, a), a ∈ F16 . Qs (6) ξi (X1 , . . . , Xs ) = j=1 (1 − (Xj − aij )q−1 ). We have that if Xj 6= aij for some j then Xj − aij is a non-zero element in Fq , and thus (Xj − aij )q−1 = 1. On the other hand, if Xj = aij , then 1 − (Xj − aij )q−1 = 1. (7) Yes. Consider a matrix M over F2 with rows (1, 1) and (0, 1). It is obvious that M is an MDS matrix. On the other hand, if we exchange the rows, then the obtained matrix N does not have an MDS property, because it has a zero in the first row, and thus not all the 1 × 1 submatricies of N1 have full rank 1. (8) First assume that all xi are non-zero. Consider an s × s submatrix S of Bs with the columns indexed by j1 , . . . , js , so that the rows of S are ). The matrix S is invertible, since , . . . , xjs−1 (1, . . . , 1), (xj1 , . . . , xjs ), . . . , (xjs−1 1 Qs its determinant can be computed to be i>j,i,j∈{j1 ,...,js } (xi − xj ). If we allow some xi to be zero, w.l.o.g x1 = 0 and consider again a matrix S, wherein j1 = 1, then we may consider an (s − 1) × (s − 1) submatrix S 0 of S, obtained by leaving out the first row and the first column. The rank of S 0 is s − 1 by the argument above. Then, passing to the matrix S we see that its rank is s, because the first column of S is (1, 0, . . . , 0)T . (9) Obviously the length of C 0 is n. Then, we claim that the vectors b1 , . . . , bl from Fnq are linearly dependent over Fq iff they are linearly dependent over Fqm . Indeed, if b1 , . . . , bl are linearly dependent over Fq , they are linearly dependent over Fqm . Other way, let there exist a non-trivial linear combination α1 b1 + · · · + αl bl = 0 with αi ∈ Fqm , 1 ≤ i ≤ l. Write α’s as vectors over Fq of length m: αi = (αi1 , . . . , αim ), 1 ≤ i ≤ l. Since the vectors b1 , . . . , bl are defined over Fq , we have α1j b1 + · · · + αlj bl = 0, 1 ≤ j ≤ m. As the initial linear combination was non-trivial, we obtain at least one non-trivial linear combination for b1 , . . . , bl over Fq , and thus they are linearly dependent over Fq . Therefore, the dimension of C 0 is also k. Now the minimum distance can be found as a minimal number of linearly dependent columns of a parity check matrix of a code. Using the argument above we see that the minimum distance

handbook

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

Decoding and finding the minimum distancewith Gr¨ obner bases: history and new insights

handbook

29

of C 0 is d, as a parity check matrix H for C is also a parity check matrix of C 0. (10) The same. Denote this basis with G. It is obvious that X +16, Y +6, Z +1 ∈ G and that I is generated by these polynomials. For any other polynomial f ∈ I, it follows lm(f ) is divisible by either of X, Y , or Z. So f does not belong to the reduced Gr¨ obner basis. Acknowledgments The first author would like to thank ”DASMOD: Cluster of Excellence in RhinelandPalatinate” for funding his research, and also personally his Ph.D. supervisor Prof.Dr. Gert-Martin Greuel and his second supervisor Prof.Dr. Gerhard Pfister for continuous support. The work of the first author has been partially inspired by the Special Semester on Gr¨ obner Bases, February 1 - July 31, 2006, organized by RICAM, Austrian Academy of Sciences, and RISC, Johannes Kepler University, Linz, Austria. Appendix A. For Example 13.38 U2 , U3 , U4 , U5 , U7 , U9 , U10 , U13 , V5 U1 , V 3 U1 , V1 U1 + U6 , U62 + U11 U1 , U11 U6 + U12 , V5 U6 , V4 U6 + U8 , V3 U6 , V1 U6 + U11 , U82 + U1 5U1 , U12 U8 + U1 4U6 , V5 U8 , 2 V4 U8 + V2 U6 , V3 U8 , V2 U8 + U12 , U11 + U6 U1 , U12 U11 + U15 U8 , V5 U11 , V4 U11 + V1 U8 , V3 U11 , 2 V2 U11 + U15 , V1 U11 + U1 , U12 + U8 U1 , U14 U12 + U15 U11 , 2 V5 U12 , V4 U12 + U14 , V3 U12 , U14 + U12 U1 , U15 U14 + U8 U6 , V5 U14 , V4 U14 + V2 U12 , V3 U14 , 2 V2 U14 + V4 U1 , U15 + U14 U1 , V5 U15 , V4 U15 + V1 U12 , V3 U15 , V2 U15 + V1 U14 , V1 U15 + V2 U1 , V4 U12 + U11 U8 , 2 V2 U1 + U1 5U6 , V2 U6 U1 + U15 U11 , V42 U1 + V2 U1 , U1 4U8 U6 + U15 U12 U1 , 2 U15 U8 U6 + U12 U1 , V2 U12 U6 + U14 U8 , V22 U6 + U14 , U14 U11 U8 + U15 U12 U6 , U15 U11 U8 + U12 U6 U1 , V1 U14 U8 + U15 U12 , V12 U8 + V4 U1 , V22 U12 + V2 U1 , V23 U1 + V1 U8 V12 U12 + V2 V4 U1 , V12 U14 + V22 U1 , References [1] D. Cox, J. Little and D. O’Shea, ”Ideals, varieties, and algorithms”, 2nd Edition Springer-Verlag, 1997. [2] G.-M.Greuel and G.Pfister, “A SINGULAR Introduction to Commutative Algebra”, Springer-Verlag, 2002.

May 3, 2013

15:21

30

World Scientific Review Volume - 9.75in x 6.5in

S. Bulygin and R. Pellikaan

[3] S. Arimoto, “Encoding and decoding of p-ary group codes and the correction system,” (in Japanese) Inform. Processing in Japan, vol. 2, pp. 320–325, Nov. 1961. [4] E.R. Berlekamp, Algebraic coding theory, Mc Graw Hill, New York, 1968. [5] J.L. Massey, “Shift-register synthesis and BCH decoding,” IEEE Trans. Inform. Theory vol. IT-15, pp. 122–127, 1969. [6] W.W. Peterson and E.J. Weldon, Error-correcting codes, MIT Pres, Cambridge 1977. [7] Y. Sugiyama, M. Kasahara, S. Hirasawa and T. Namekawa, “A method for solving the key equation for decoding Goppa codes,” Information and Control, vol. 27, pp. 87–99, 1975. [8] D. Augot, P. Charpin, N. Sendrier, “The minimum distance of some binary codes via the Newton’s Identities,” Eurocodes’90, LNCS 514, p 65–73, 1990. [9] D. Augot, P. Charpin and N. Sendrier, “Studying the locator polynomial of minimum weight codewords of BCH codes,” IEEE Trans. Inform. Theory, vol. IT-38, pp. 960– 973, May 1992. [10] D. Augot, M. Bardet and J.-C. Faug`ere “Efficient Decoding of (binary) Cyclic Codes beyond the correction capacity of the code using Gr¨ obner bases,” INRIA Report, no. 4652, Nov. 2002. [11] D. Augot, M. Bardet and J.C. Faug`ere, “On formulas for decoding binary cyclic codes”, Proc. IEEE Int. Symp. Information Theory, 2007. [12] M.A. de Boer and R. Pellikaan, “Gr¨ obner bases for codes,” in Some tapas of computer algebra (A.M. Cohen, H. Cuypers and H. Sterk eds.), Chap. 10, pp. 237–259, Springer-Verlag, Berlin 1999. [13] M.A. de Boer and R. Pellikaan, “Gr¨ obner bases for decoding,” in Some tapas of computer algebra (A.M. Cohen, H. Cuypers and H. Sterk eds.), Chap. 11, pp. 260– 275, Springer-Verlag, Berlin 1999. [14] X. Chen, I.S. Reed, T. Helleseth and T.K. Truong, “Use of Gr¨ obner bases to decode binary cyclic codes up to the true minimum distance,” IEEE Trans. Inform. Theory, vol. IT-40, pp. 1654–1661, 1994. [15] M. Caboara and T.Mora, “The Chen-Reed-Helleseth-Truong decoding algorithm and the Gianni-Kalkbrenner Gr¨ obner shape theorem,” Appl. Algeb. Eng. Commum. Comput., 13, pp.209–232, 2002. [16] X. Chen, I.S. Reed, T. Helleseth and T.K. Truong, “Algebraic decoding of cyclic codes: a polynomial point of view,” Contemporary Math. vol. 168, pp. 15–22, 1994. [17] X. Chen, I.S. Reed, T. Helleseth and T.K. Truong, “General principles for the algebraic decoding of cyclic codes,” IEEE Trans. Inform. Theory, vol. IT-40, pp. 1661–1663, 1994. [18] A.B. Cooper, “Toward a new method of decoding algebraic codes using Gr¨ obner bases,” Trans. 10th Army Conf. Appl. Math. and Comp.,, pp.1–11, 1993. [19] E. Orsini, M.Sala, “Correcting errors and erasures via the syndrome variety,” J. Pure and Appl. Algebra, 200, pp.191–226, 2005. [20] T. Mora and E. Orsini, “Decoding cyclic codes: the Cooper philosophy”, a talk at the Special Semester on Gr¨ obner bases, May, 2006. [21] M. Giorgetti and M. Sala, “A commutative algebra approach to linear codes”, BCRI preprint no.58, submitted to J. Algebra www.bcri.ucc.ie, 2006 [22] E. Orsini and M. Sala, “Improved decoding of affine–variety codes”, BCRI preprint no.68, www.bcri.ucc.ie, 2007. [23] J.B. Farr and S. Gao, “Gr¨ obner bases, Pad´e approximation, and decoding of linear codes”, to appear in Coding Theory and Quantum Computing, Contemporary Mathematics, AMS, 2005.

handbook

May 3, 2013

15:21

World Scientific Review Volume - 9.75in x 6.5in

Decoding and finding the minimum distancewith Gr¨ obner bases: history and new insights

handbook

31

[24] P.Fitzpatrick and J.Flynn, “A Gr¨ obner basis technique for Pad´e approximation,” J.Symbolic Computation. 24(5), pp.133–138, 1992. [25] M. Borges-Quintana, M.A. Borges-Trenard and E. Mart´ınez-Moro, “A General Framework for Applying FGLM Techniques to Linear Codes”, AAECC 2006, Lecture Notes in Computer Science, pp.76–86, 2006. [26] P. Loustaunau and E.V. York, “On the decoding of cyclic codes using Gr¨ obner bases,” AAECC, vol. 8 (6), pp. 469–483, 1997. [27] P. Fitzpatrick, “On the key equation”, IEEE Transactions on Information Theory, 41, no. 5, pp.1290–1302, 1995. [28] C.Lossen, A.Fr¨ uhbis-Kr¨ uger, “Introduction to Computer Algebra (Solving Systems of Polynomial Equations)” http://www.mathematik.uni-kl.de/~lossen/ SKRIPTEN/COMPALG/compalg.ps.gz, 2005. [29] B. Buchberger, “Ein Algorithmus zum Auffinden der Basiselemente des Restklassenrings”, Ph.D. thesis, Innsbruck, 1965. [30] G.-M. Greuel, G. Pfister, and H. Sch¨ onemann. Singular 3.0. A computer algebra system for polynomial computations. Centre for Computer Algebra, University of Kaiserslautern (2007). http://www.singular.uni-kl.de. [31] Magma V2.14-4, Computational Algebra Group, School of Mathematics and Statistics, University of Sydney, Website: http://magma.maths.usyd.edu.au, 2007. [32] CoCoA: a system for doing Computations in Commutative Algebra, http://cocoa. dima.unige.it, 2007. [33] J.C.Faug`ere, “A new efficient algorithm for computing Grbner bases (F4),” Journal of Pure and Applied Algebra, 139(1–3), pp.61–88, 1999. [34] J.C.Faug`ere, “A new efficient algorithm for computing Grbner bases without reduction to zero F5,” In T. Mora, editor, Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation ISSAC, pp. 75–83, 2002. [35] FGb, http://fgbrs.lip6.fr/jcf/Software/FGb/index.html, 2007. [36] J.-C. Faug`ere, P.Gianni, D. Lazard, and T.Mora, “Efficient Computation of Zerodimensional Gr¨ obner Bases by Change of Ordering”, J. Symb. Comput., 16, pp.329– 344, 1993. [37] T.Mora, E.Orsini, M.Sala, “General error locator polynomials for binary cyclic codes with t≤2 and n